Add AgentID authorization contract example

[dinpd]

Summary

Adds an optional AgentID provider authorization contract example for enterprise gateways routing GitHub MCP Server traffic.

Why

This documents a complementary pattern for organizations that want per-tool blast-radius metadata, required context, approval/JIT requirements, and scoped receipt bindings before forwarding high-risk agent-originated GitHub MCP tool calls.

Fixes #

What changed

• Added docs/agentid-provider-contract.md with an illustrative AgentID provider contract for selected read/write GitHub MCP tools.
• Linked the example from docs/policies-and-governance.md alongside existing governance controls.

MCP impact

• No tool or API changes
• Tool schema or behavior changed
• New tool added

Docs-only change. This does not alter exposed tools, server behavior, authentication, or authorization enforcement.

Prompts tested (tool changes only)

• N/A, docs-only change.

Security / limits

• No security or limits impact
• Auth / permissions considered
• Data exposure, filtering, or token/size limits considered

The example states that GitHub API authorization remains the final enforcement point, and that this pattern complements existing toolsets, read-only mode, token scopes, and native permission checks.

Tool renaming

• I am renaming tools as part of this PR
  • I have added the new tool aliases in deprecated_tool_aliases.go
• I am not renaming tools as part of this PR

Lint & tests

• Linted locally with ./script/lint
• Tested locally with ./script/test

Not run; docs-only change. Ran git diff --check locally.

Docs

• Not needed
• Updated (README / docs / examples)